Government agencies are instructed by Executive Order to improve the delivery of digital services to citizens while also safeguarding critical data and systems. Often, this leads to a difficult decision between speed of application production and software security. However, as recent events have shown, sacrificing security in the name of speed compromises the safety of citizens and government infrastructure. Here’s why the government is prioritizing software security and how agencies can reliably secure software development in the cloud and on-premises.
The following executive orders and memoranda make it clear that cybersecurity, and software security in particular, is a national priority. Let’s explore why they were created and what they require from you.
Executive Order on Improving the Nation’s Cybersecurity
In 2021, the Biden administration issued an executive order on cybersecurity that includes security requirements for vendors selling software to the U.S. government. This executive order was released after several cyberattacks from SolarWinds to Microsoft. In a recent interview, our CTO and Co-Founder, Chris Wysopal stated: “As a result of the Executive Order, software security is no longer a ‘nice to have;’ it’s a federal requirement. Much in the same way seatbelts became federally mandated in cars, all organizations will eventually implement these practices and adhere to the standards for improved software safety and security for all citizens.” This order mentions cloud services and cloud technology over a dozen times, revealing the government’s desire to keep up with modern software development. You can read more about the requirements of this executive order in this blog.
Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government
This Executive Order comes in light of more people interacting online with government agencies than ever before due to the global pandemic. It declares how agencies are supposed to improve digital service delivery to rebuild trust in the government. This means that agencies, especially high-impact service providers such as the USDA and the US Treasury, will be speeding up the rollout of better websites and applications that many citizens engage with. This order states: “To engender public trust, agencies must ensure that their efforts appropriately maintain or enhance protections afforded under law and policy, including those related to civil rights, civil liberties, privacy, confidentiality, and information security.” Agencies cannot afford to sacrifice security in the name of speed and citizen services, and so they need to find tools, training, and programs to strike the right balance.
M-22-09 : Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
This memorandum adds a transition to a Zero Trust approach to security. This strategy emphasizes various security measures from multi-factor authentication to assessing security posture. It states: “a key tenet of Zero Trust architecture is that no network is implicitly considered trusted”. It also specifically mentions cloud-based infrastructure dozens of times, calling out both the benefits and inherent vulnerabilities, and it acknowledges how critical the Zero Trust approach is to securing cloud-native development. Click here to learn more about Zero Trust requirements.
M-22-18 : Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
The reason for this memorandum is stated immediately in the first paragraph: “The global supply chain for [information and communication] technologies faces relentless threats from nation state and criminal actors seeking to steal sensitive information and intellectual property, compromise the integrity of Government systems, and conduct other acts that impact the United States Government’s ability to safely and reliably provide services to the public.” While software supply chain security was already part of the first Executive Order we mentioned, this memorandum adds a significant piece relating to development. It points to how agencies are increasingly developing in the cloud by specifically calling out “cloud-based software” in the requirements of the memorandum.
These orders are proof of the importance of securing software, but how are agencies supposed to comply with these requirements? Here are some of our tips for aligning with these imperative government cybersecurity requirements without negatively impacting speed of deployment.
Know What’s in Your Software
One of the most critical pieces of staying compliant and secure is knowing what’s in your software. A tool like Veracode SBOM gives you a list of the components that make up an application. This tool provides the kind of transparency that is an essential and required part of securing the software supply chain. It will help you identify vulnerabilities or license risks that could affect your organization.
Automate Secure Code Review
An application security program, not a hodge-podge of testing tools, will help you know who needs to do what, when they need to do it, and how to monitor compliance with your policies. This is true automation of security within the software development lifecycle. There are tremendous time-savings available when the automation of your application security program is set up correctly with the guidance of an application security expert.
Shorten Time to Remediation
In July of 2022, one federal cabinet reported that they spent 33,000 hours remediating flaws at the expense of mission priorities. One of the best ways to shorten time to remediation is utilizing machine learning. Unlike tools that only scan and find flaws, an intelligent security solution that utilizes machine learning delivers fixes so you can comply with policy faster.
Reduce the Skills Gap
Everyone talks about how there aren’t enough people to fill cybersecurity roles, and this is even more true for government agencies. Government agencies are already at a disadvantage and can benefit from experiential secure code training that reduces the skills gap of their hardworking teams. Research shows that developers who had completed just one Security Labs course remediated flaws 35% more quickly than those who hadn’t taken any courses.
We understand you need a tool that helps you improve security with fewer people. That’s why we were adamant about attaining a Federal Risk and Authorization Management Program (FedRAMP®) authorization.
As far as we’re concerned, these executive orders and memos are a huge win for human civilization. Our CTO, Chris Wysopal, helped put software security on the government’s map when he testified in front of a U.S. Senate committee investigating government cybersecurity in 1998. In 2006, he took another massive leap toward a world where software is built secure from the start when he co-founded Veracode.
We support the government’s mission so fully that we enlisted Quzara, an AWS Security partner and FedRAMP® compliance leader, to help us become FedRAMP authorized. Thanks in part to Quzara, you now have a complete application security program available in the FedRAMP marketplace.
FedRAMP authorization is no participation trophy. FedRAMP authorization is a milestone achievement which validates that we meet the government’s rigorous security and risk assessment standards, and this broadens opportunities for government agencies to find and adopt cloud services that are compliant.
Regarding the specific requirements of this momentous authorization, a recent press release explains: “Quzara consulted and advised on control remediation, implementations, AWS architecture design, and development for the offering. Quzara additionally developed the full FedRAMP® documentation stack, including the System Security Plan (SSP), SSP Attachments, and policies and procedures.”
So, what are your next steps for securing your software? Click here to schedule a call with one of our application security experts who can help you form a strategy for quickly delivering secure, compliant software that fulfills requirements and builds trust with civilians.